[THIS POST HAS BEEN UPDATED.] Yesterday I mentioned a problem I was having with the Barclaycard Ring MasterCard “forgot password” page. Today I’m taking the extra step of showing the page because this is something I don’t think has a lot of customer service advantage. They’re using the same page whether you are setting up a new online persona OR you have forgotten your password in which case you simply have to choose a new username.
What else could Barclaycard have done? Send an email at the user’s request, with a unique URL that expires after a few hours. That way the account is secure, but the user stays in control of it. This is the nearly universal practice, and it’s interesting to see an exception and mull the pros and cons.
Requiring a new username is particularly onerous for Barclaycard Ring because it’s supposed to be a social networking community. If I change my username, what happens to the badges and contacts I’ve built up under my old username? But I think it’s not a very good practice in general, and this big international bank must be somehow very stretched for programming resources.
While I’m at it, here’s another not-best practice: confirming the new (or old) password by sending out an email that contains exactly that password in unencoded text. Yikes! What if I’m reading my email in Starbucks or an unsecured wireless hotspot at the airport? Even if I’m in the comfort and sanctity of my home, I’m still going to have to delete that email now. The merchant or marketer probably thought they were doing me a favor by sending me a handy reminder. In contrast to Barclaycard, this is one we’ve all seen, probably several times. Don’t do it.
UPDATE July 3: got a call from Meagan in the Barclaycard digital marketing department and she had a little difficulty reproducing the above page on a test account; possibly I had done something like enter the wrong password too many times that caused the system to “clear out my account”. What I should have seen was a reset page with my security image and with her help I was able to get to that. More important, she and I discovered that if, instead of creating a new user name in the screen captured above, I entered my current one (after confirming who I was with the challenge info above) the system would accept it.
The GOOD news was that when I finally got into my account my screen name had not changed at all; must be different from the username the system recognizes. So all my badges, if I had them, would be intact.
Meagan says this is the password reset procedure used for all Barclaycard products but she does understand how it might be a good idea to present it differently (and tell people they can keep their current username if they like) for the Ring cardmembers. Will be interested to see what they come up with.